🚀Launch Week 04, May 13th - 17th, 2024!🚀
Powerpipe Hub 
Hub
Mods
turbot/oci_compliance
Overview
3Dashboards
133Controls
43Queries
2Variables
GitHub
Loading controls...

Control: 4.15 Ensure a notification is configured for Oracle Cloud Guard problems detected

Description

Cloud Guard detects misconfigured resources and insecure activity within a tenancy and provides security administrators with the visibility to resolve these issues. Upon detection, Cloud Guard generates a Problem. It is recommended to setup an Event Rule and Notification that gets triggered when Oracle Cloud Guard Problems are created, dismissed or remediated. Event Rules are compartment scoped and will detect events in child compartments. It is recommended to create the Event rule at the root compartment level.

Cloud Guard provides an automated means to monitor a tenancy for resources that are configured in an insecure manner as well as risky network activity from these resources. Monitoring and alerting on Problems detected by Cloud Guard will help in identifying changes to the security posture.

Remediation

From Console

  1. Go to the Events Service page: https://cloud.oracle.com/events/rules.
  2. Select the compartment that should host the rule.
  3. Click Create Rule.
  4. Provide a Display Name and Description.
  5. Create a Rule Condition by selecting Cloud Guard in the Service Name Drop-down and selecting: Detected – Problem, Remediated – Problem, and Dismissed - Problem.
  6. In the Actions section select Notifications as Action Type.
  7. Select the Compartment that hosts the Topic to be used.
  8. Select the Topic to be used.
  9. Optionally add Tags to the Rule.
  10. Click Create Rule.

From CLI

  1. Find the topic-id of the topic the Event Rule should use for sending Notifications by using the topic name and Compartment OCID
Find the topic-id of the topic the Event Rule should use for sending Notifications
by using the topic name and Compartment OCID
  1. Create a JSON file to be used when creating the Event Rule. Replace topic id, display name, description and compartment OCID.
{
  "actions":
    {
    "actions": [
      {
        "actionType": "ONS",
        "isEnabled": true,
        "topicId": "<topic id>"
      }
    ]
  },
  "condition": "{\"eventType\":[\" com.oraclecloud.cloudguard.problemdetected\",\"com.oraclecloudcloudguardproblemdismissed\",\"com.oraclecloud.cloudguard.problemremediated\"],\"data\":{}}",
  "displayName": "<display name>",
  "description": "<description>",
  "isEnabled": true,
  "compartmentId": "compartment OCID"
}
  1. Create the actual event rule.
oci events rule create --from-json file://event_rule.json
  1. Note in the JSON returned that it lists the parameters specified in the JSON file provided and that there is an OCID provided for the Event Rule.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_4_15

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_4_15 --share

SQL

This control uses a named query:

events_rule_notification_cloud_guard_problems_detected

Tags

category = Compliance
cis = true
cis_item_id = 4.15
cis_level = 1
cis_section_id = 4
cis_type = automated
cis_version = v2.0.0
plugin = oci
service = OCI/ONS